Author Topic: Remote Library Injection [pdf] seeking thoughts.  (Read 2787 times)

0 Members and 1 Guest are viewing this topic.

Offline LordVader

  • Full Member
  • ***
  • Posts: 113
  • Knowledge is power.
    • View Profile
    • James Moss on the web!
Remote Library Injection [pdf] seeking thoughts.
« on: October 08, 2007, 07:07:07 am »
The link to the data first:
http://www.hick.org/code/skape/papers/remote-library-injection.pdf

Basic run down of what it describes is exploiting methods to deliver dll type payloads to hook // alter memory locations on a remote system wondering if anybody had any thoughts on this or knows of instances where it has been used in worms/viruses in the wild.

Also just a thought, and curious if usiing this method thru a exploit in a blizzard game that has warden implimented possibly being able to reverse the situation and upload something to them thru some in game exploit ideally thru warden functions/data directly for the sake of it being ironic.
I could see a situation in court being sued by blizzard and saying well they uploaded data to my machine before asking my permission I just did the same to them through their methods to load unwanted data onto my machine.


footnote: not seeking to get into an TOS or EULA debate about their right to do whatever to protect their game etc, more that the concepts above is interesting to me curious for other's thoughts and other similar examples or known instances in the wild etc.

Offline Camel

  • Hero Member
  • *****
  • Posts: 1703
    • View Profile
    • BNU Bot
Re: Remote Library Injection [pdf] seeking thoughts.
« Reply #1 on: October 08, 2007, 10:03:24 am »
It's a cool idea, but you'd be hard pressed to find an exploit in the BNCS protocol. Even if you did, it'd be extremely difficult to actually take advantage of it, given that you have no access to a machine running the software they use.

I don't think you could do it through the warden packets. If you had access to the BNCS servers, it would most likely be quite trivial to inject a virus in the executable code the server sends to the client.

<Camel> i said what what
<Blaze> in the butt
<Camel> you want to do it in my butt?
<Blaze> in my butt
<Camel> let's do it in the butt
<Blaze> Okay!

Offline LordVader

  • Full Member
  • ***
  • Posts: 113
  • Knowledge is power.
    • View Profile
    • James Moss on the web!
Re: Remote Library Injection [pdf] seeking thoughts.
« Reply #2 on: October 08, 2007, 01:25:15 pm »
True heh.

Offline Skywing

  • Full Member
  • ***
  • Posts: 139
    • View Profile
    • Nynaeve
Re: Remote Library Injection [pdf] seeking thoughts.
« Reply #3 on: October 08, 2007, 02:15:25 pm »
There are indeed examples of this out there in the wild; for example, VNC isn't launched as a separate process but rather as a thread in the target process with the Metasploit VNC shell option, IIRC.

Injecting code into other processes has plenty of use cases other than for hiding malicious code, however.  (For example, VNC normally loads a DLL into processes being remoted in order to capture GUI-related activity.  There are plenty of other examples of expected library injection.)

But this paper doesn't really relate all that much to Warden.  It is more describing an approach whereby an existing project is reused (perhaps with a secondary thread or code hooks) to perform whatever approach is desired in terms of exploit code, instead of, say, starting a separate shell process for communication (which might be more obvious).

For what it's worth, though, Blizzard has not exactly had a stellar track record of security with respect to their network protocols.  There have been plenty of bugs with the BNCS protocol in the past, exploitable both against the server and against clients to varying degrees, up to and including potential code execution due to bad message handling code.